Skip to content

Allow using GCS without providing credentials #25811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow using GCS without providing credentials #25811

wants to merge 1 commit into from

Conversation

patricklucas
Copy link

@patricklucas patricklucas commented May 16, 2025
edited by ebyhr
Loading

Description

If a JSON key or key file path are not provided, and using access tokens is not enabled, do not attempt to get the Application Default Credentials, instead allowing the GCS client library to use its own default behavior.

This will allow using Trino with custom GCS-compatible endpoints without auth, such as during development and testing.

Additional context and related issues

Fixes #25810

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
(x) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

## Section
* Add support for using GCS without credentials (#25810)

@cla-bot cla-bot
Copy link

cla-bot bot commented May 16, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@patricklucas
Copy link
Author

I will take a look at the CLA once I get positive indication this change would be accepted.

@cla-bot cla-bot
Copy link

cla-bot bot commented May 17, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

ebyhr
ebyhr reviewed May 18, 2025
View reviewed changes
@patricklucas
Allow using GCS without providing credentials
58698d5 
When GCS credentials are otherwise unconfigured, do not re-throw an
exception thrown by `GoogleCredentials.getApplicationDefault()`, which
indicates that credentials are not available in the environment.

This is consistent with the GCP SDK, and allows for anonymous access to
GCS (or a GCS emulator).
@cla-bot cla-bot
Copy link

cla-bot bot commented May 19, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@patricklucas
Copy link
Author

CLA submitted.

@wendigo
Copy link
Contributor

wendigo commented May 21, 2025

@cla-bot check

@cla-bot cla-bot
Copy link

cla-bot bot commented May 21, 2025

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@cla-bot cla-bot
Copy link

cla-bot bot commented May 21, 2025

The cla-bot has been summoned, and re-checked this pull request!

Praveen2112
Praveen2112 reviewed May 22, 2025
View reviewed changes
Copy link
Member

@Praveen2112 Praveen2112 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the default mode for these Credentials ? The default behaviour is to use the ApplicationDefaultCredentials right

Praveen2112
Praveen2112 reviewed May 22, 2025
View reviewed changes
lib/trino-filesystem-gcs/src/main/java/io/trino/filesystem/gcs/GcsStorageFactory.java
@@ -99,7 +99,8 @@ public Storage create(ConnectorIdentity identity)
return GoogleCredentials.getApplicationDefault();
}
catch (IOException e) {
throw new UncheckedIOException(e);
// This is consistent with the GCP SDK when no credentials are available in the environment
return null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or should we use NoCredentials ?

@patricklucas
Copy link
Author

What is the default mode for these Credentials ? The default behaviour is to use the ApplicationDefaultCredentials right

The default behavior of the library as linked to above/in the original issue is to call GoogleCredentials.getApplicationDefault(), but importantly, to return null if it throws an exception (which signifies no application default credentials are available in the environment). This is different from the current behavior of Trino which calls that method, but propagates the exception.

Passing NoCredentials is a way for a user of the library to explicitly indicate that they do not want to authenticate. I don't think that Trino should assume that in any case, but a possible route would be to add a configuration option to do so.

My preference is what I had originally—if no credentials options are set, simply fall back to the default behavior of the library by not calling setCredentials at all, rather than trying to emulate its behavior by calling GoogleCredentials.getApplicationDefault() ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wendigo wendigo wendigo left review comments

@ebyhr ebyhr ebyhr left review comments

@Praveen2112 Praveen2112 Praveen2112 left review comments

@findinpath findinpath findinpath left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Should be possible to use GCS without authentication
5 participants
@patricklucas @wendigo @ebyhr @Praveen2112 @findinpath